W32/Agobot-QJ

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\Symantec Security Routine Addon for Microsoft Windows = navpxaw32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
\Symantec Security Routine Addon for Microsoft Windows = navpxaw32.exe

and delete them if they exist.

Close the registry editor.

Deleting the HOSTS file

Delete the HOSTS file in C:\<Windows System32>\drivers\etc and replace it from backup.

Installing the Microsoft patches

Read the security bulletins, then download and install the Microsoft patches for the vulnerabilities mentioned above (at the time of writing MS03-001, MS03-007 and MS03-039). On standalone computers, update with all relevant security patches from Windows update.

W32/Agobot-QJ is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine.

This worm will move itself into the Windows System32 folder under the filename NAVPXAW32.EXE and may create the following registry entries so that it can execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Symantec Security Routine Addon for Microsoft Windows = navpxaw32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Symantec Security Routine Addon for Microsoft Windows = navpxaw32.exe

This worm will also attempt to glean email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment.

W32/Agobot-QJ will attempt to terminate anti-virus and software firewall processes, in addition to other viruses, worms or Trojans.
For example:

'_AVPM.EXE'
'_AVPCC.EXE'
'_AVP32.EXE'
'ZONEALARM.EXE'
'ZONALM2601.EXE'
'ZATUTOR.EXE'
'ZAPSETUP3001.EXE'
'ZAPRO.EXE'
'XPF202EN.EXE'
'WYVERNWORKSFIREWALL.EXE'
'WUPDT.EXE'
'WUPDATER.EXE'
'WSBGATE.EXE'
'WRCTRL.EXE'
'WRADMIN.EXE'
'WNT.EXE'
'WNAD.EXE'
'WKUFIND.EXE'
'WINUPDATE.EXE'
'WINTSK32.EXE'
'WINSTART001.EXE'
'WINSTART.EXE'
'WINSSK32.EXE'
'WINSERVN.EXE'
'WINRECON.EXE'
'WINPPR32.EXE'
'WINNET.EXE'
'WINMAIN.EXE'
'WINLOGIN.EXE'
'WININITX.EXE'
'WININIT.EXE'
'WININETD.EXE'
'WINDOWS.EXE'
'WINDOW.EXE'
'WINACTIVE.EXE'
'WIN32US.EXE'
'WIN32.EXE'
'WIN-BUGSFIX.EXE'
'WIMMUN32.EXE'
'WHOSWATCHINGME.EXE'
'WGFE95.EXE'
'WFINDV32.EXE'
'WEBTRAP.EXE'
'WEBSCANX.EXE'
'WEBDAV.EXE'
'WATCHDOG.EXE'
'W9X.EXE'
'W32DSM89.EXE'
'VSWINPERSE.EXE'
'VSWINNTSE.EXE'
'VSWIN9XE.EXE'
'VSSTAT.EXE'
'VSMON.EXE'
'VSMAIN.EXE'
'VSISETUP.EXE'
'VSHWIN32.EXE'
'VSECOMR.EXE'
'VSCHED.EXE'
'VSCENU6.02D30.EXE'
'VSCAN40.EXE'
'VPTRAY.EXE'
'VPFW30S.EXE'
'VPC42.EXE'
'VPC32.EXE'
'VNPC3000.EXE'
'VNLAN300.EXE'
'VIRUSMDPERSONALFIREWALL.EXE'
'VIR-HELP.EXE'
'VFSETUP.EXE'
'VETTRAY.EXE'
'VET95.EXE'
'VET32.EXE'
'VCSETUP.EXE'
'VBWINNTW.EXE'
'VBWIN9X.EXE'
'VBUST.EXE'
'VBCONS.EXE'
'VBCMSERV.EXE'
'UTPOST.EXE'
'UPGRAD.EXE'
'UPDAT.EXE'
'UNDOBOOT.EXE'
'TVTMD.EXE'
'TVMD.EXE'
'TSADBOT.EXE'
'TROJANTRAP3.EXE'
'TRJSETUP.EXE'
'TRJSCAN.EXE'
'TRICKLER.EXE'
'TRACERT.EXE'
'TITANINXP.EXE'
'TITANIN.EXE'
'TGBOB.EXE'
'TFAK5.EXE'
'TFAK.EXE'
'TEEKIDS.EXE'
'TDS2-NT.EXE'
'TDS2-98.EXE'
'TDS-3.EXE'
'TCM.EXE'
'TCA.EXE'
'TC.EXE'
'TBSCAN.EXE'
'TAUMON.EXE'
'TASKMON.EXE'
'TASKMO.EXE'
'TASKMG.EXE'
'SYSUPD.EXE'
'SYSTEM32.EXE'
'SYSTEM.EXE'
'SYSEDIT.EXE'
'SYMTRAY.EXE'
'SYMPROXYSVC.EXE'
'SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE'
'SWEEP95.EXE'
'SVSHOST.EXE'
'SVCHOSTS.EXE'
'SVCHOSTC.EXE'
'SVC.EXE'
'SUPPORTER5.EXE'
'SUPPORT.EXE'
'SUPFTRL.EXE'
'STCLOADER.EXE'
'START.EXE'
'ST2.EXE'
'SSGRATE.EXE'
'SS3EDIT.EXE'
'SRNG.EXE'
'SREXE.EXE'
'SPYXX.EXE'
'SPOOLSV32.EXE'
'SPOOLCV.EXE'
'SPOLER.EXE'
'SPHINX.EXE'
'SPF.EXE'
'SPERM.EXE'
'SOFI.EXE'
'SOAP.EXE'
'SMSS32.EXE'
'SMS.EXE'
'SMC.EXE'
'SHOWBEHIND.EXE'
'SHN.EXE'
'UPDATE.EXE'
'SHELLSPYINSTALL.EXE'
'SH.EXE'
'SGSSFW32.EXE'
'SFC.EXE'
'SETUP_FLOWPROTECTOR_US.EXE'
'SETUPVAMEEVAL.EXE'
'SERVLCES.EXE'
'SERVLCE.EXE'
'SERVICE.EXE'
'SERV95.EXE'
'SD.EXE'
'SCVHOST.EXE'
'SCRSVR.EXE'
'SCRSCAN.EXE'
'SCANPM.EXE'
'SCAN95.EXE'
'SCAN32.EXE'
'SCAM32.EXE'
'SC.EXE'
'SBSERV.EXE'
'SAVENOW.EXE'
'SAVE.EXE'
'SAHAGENT.EXE'
'SAFEWEB.EXE'
'RUXDLL32.EXE'
'RUNDLL16.EXE'
'RUNDLL.EXE'
'RUN32DLL.EXE'
'RULAUNCH.EXE'
'RTVSCN95.EXE'
'RTVSCAN.EXE'
'RSHELL.EXE'
'RRGUARD.EXE'
'RESCUE32.EXE'
'RESCUE.EXE'
'REGEDT32.EXE'
'REGEDIT.EXE'
'REGED.EXE'
'REALMON.EXE'
'RCSYNC.EXE'
'RB32.EXE'
'RAY.EXE'
'RAV8WIN32ENG.EXE'
'RAV7WIN.EXE'
'RAV7.EXE'
'RAPAPP.EXE'
'QSERVER.EXE'
'QCONSOLE.EXE'
'PVIEW95.EXE'
'PUSSY.EXE'
'PURGE.EXE'
'PSPF.EXE'
'PROTECTX.EXE'
'PROPORT.EXE'
'PROGRAMAUDITOR.EXE'
'PROCEXPLORERV1.0.EXE'
'PROCESSMONITOR.EXE'
'PROCDUMP.EXE'
'PRMVR.EXE'
'PRMT.EXE'
'PRIZESURFER.EXE'
'PPVSTOP.EXE'
'PPTBC.EXE'
'PPINUPDT.EXE'
'POWERSCAN.EXE'
'PORTMONITOR.EXE'
'PORTDETECTIVE.EXE'
'POPSCAN.EXE'
'POPROXY.EXE'
'POP3TRAP.EXE'
'PLATIN.EXE'
'PINGSCAN.EXE'
'PGMONITR.EXE'
'PFWADMIN.EXE'
'PF2.EXE'
'PERSWF.EXE'
'PERSFW.EXE'
'PERISCOPE.EXE'
'PENIS.EXE'
'PDSETUP.EXE'
'PCSCAN.EXE'
'PCFWALLICON.EXE'
'PCDSETUP.EXE'
'PCCWIN98.EXE'
'PCCWIN97.EXE'
'PCCNTMON.EXE'
'PCCIOMON.EXE'
'PAVW.EXE'
'PAVSCHED.EXE'
'PAVPROXY.EXE'
'PAVCL.EXE'
'PATCH.EXE'
'PANIXK.EXE'
'PADMIN.EXE'
'OUTPOSTPROINSTALL.EXE'
'OUTPOSTINSTALL.EXE'
'OTFIX.EXE'
'OSTRONET.EXE'
'OPTIMIZE.EXE'
'ONSRVR.EXE'
'OLLYDBG.EXE'
'NWTOOL16.EXE'
'NWSERVICE.EXE'
'NWINST4.EXE'
'NVSVC32.EXE'
'NVC95.EXE'
'NVARCH16.EXE'
'NUI.EXE'
'NTXconfig.EXE'
'NTVDM.EXE'
'NTRTSCAN.EXE'
'NT.EXE'
'NSUPDATE.EXE'
'NSTASK32.EXE'
'NSSYS32.EXE'
'NSCHED32.EXE'
'NPSSVC.EXE'
'NPSCHECK.EXE'
'NPROTECT.EXE'
'NPFMESSENGER.EXE'
'NPF40_TW_98_NT_ME_2K.EXE'
'NOTSTART.EXE'
'NORTON_INTERNET_SECU_3.0_407.EXE'
'NORMIST.EXE'
'NOD32.EXE'
'NMAIN.EXE'
'NISUM.EXE'
'NISSERV.EXE'
'NETUTILS.EXE'
'NETSTAT.EXE'
'NETSPYHUNTER-1.2.EXE'
'NETSCANPRO.EXE'
'NETMON.EXE'
'NETINFO.EXE'
'NETD32.EXE'
'NETARMOR.EXE'
'NEOWATCHLOG.EXE'
'NEOMONITOR.EXE'
'NDD32.EXE'
'NCINST4.EXE'
'NAVWNT.EXE'
'NAVW32.EXE'
'NAVSTUB.EXE'
'NAVNT.EXE'
'NAVLU32.EXE'
'NAVENGNAVEX15.NAVLU32.EXE'
'NAVDX.EXE'
'NAVAPW32.EXE'
'NAVAPSVC.EXE'
'NAVAP.NAVAPSVC.EXE'
'AUTO-PROTECT.NAV80TRY.EXE'
'NAV.EXE'
'OUTPOST.EXE'
'NUPGRADE.EXE'
'N32SCANW.EXE'
'MWATCH.EXE'
'MU0311AD.EXE'
'MSVXD.EXE'
'MSSYS.EXE'
'MSSMMC32.EXE'
'MSMSGRI32.EXE'
'MSMGT.EXE'
'MSLAUGH.EXE'
'MSINFO32.EXE'
'MSIEXEC16.EXE'
'MSDOS.EXE'
'MSDM.EXE'
'MSCONFIG.EXE'
'MSCMAN.EXE'
'MSCCN32.EXE'
'MSCACHE.EXE'
'MSBLAST.EXE'
'MSBB.EXE'
'MSAPP.EXE'
'MRFLUX.EXE'
'MPFTRAY.EXE'
'MPFSERVICE.EXE'
'MPFAGENT.EXE'
'MOSTAT.EXE'
'MOOLIVE.EXE'
'MONITOR.EXE'
'MMOD.EXE'
'MINILOG.EXE'
'MGUI.EXE'
'MGHTML.EXE'
'MGAVRTE.EXE'
'MGAVRTCL.EXE'
'MFWENG3.02D30.EXE'
'MFW2EN.EXE'
'MFIN32.EXE'
'MD.EXE'
'MCVSSHLD.EXE'
'MCVSRTE.EXE'
'MCTOOL.EXE'
'MCSHIELD.EXE'
'MCMNHDLR.EXE'
'MCAGENT.EXE'
'MAPISVC32.EXE'
'LUSPT.EXE'
'LUINIT.EXE'
'LUCOMSERVER.EXE'
'LUAU.EXE'
'LSETUP.EXE'
'LORDPE.EXE'
'LOOKOUT.EXE'
'LOCKDOWN2000.EXE'
'LOCKDOWN.EXE'
'LOCALNET.EXE'
'LOADER.EXE'
'LNETINFO.EXE'
'LDSCAN.EXE'
'LDPROMENU.EXE'
'LDPRO.EXE'
'LDNETMON.EXE'
'LAUNCHER.EXE'
'KILLPROCESSSETUP161.EXE'
'KERNEL32.EXE'
'KERIO-WRP-421-EN-WIN.EXE'
'KERIO-WRL-421-EN-WIN.EXE'
'KERIO-PF-213-EN-WIN.EXE'
'KEENVALUE.EXE'
'KAZZA.EXE'
'KAVPF.EXE'
'KAVPERS40ENG.EXE'
'KAVLITE40ENG.EXE'
'JEDI.EXE'
'JDBGMRG.EXE'
'JAMMER.EXE'
'ISTSVC.EXE'
'MCUPDATE.EXE'
'LUALL.EXE'
'ISRV95.EXE'
'ISASS.EXE'
'IRIS.EXE'
'IPARMOR.EXE'
'IOMON98.EXE'
'INTREN.EXE'
'INTDEL.EXE'
'INIT.EXE'
'INFWIN.EXE'
'INFUS.EXE'
'INETLNFO.EXE'
'IFW2000.EXE'
'IFACE.EXE'
'IEXPLORER.EXE'
'IEDRIVER.EXE'
'IEDLL.EXE'
'IDLE.EXE'
'ICSUPPNT.EXE'
'ICMON.EXE'
'ICLOADNT.EXE'
'ICLOAD95.EXE'
'IBMAVSP.EXE'
'IBMASN.EXE'
'IAMSTATS.EXE'
'IAMSERV.EXE'
'IAMAPP.EXE'
'HXIUL.EXE'
'HXDL.EXE'
'HWPE.EXE'
'HTPATCH.EXE'
'HTLOG.EXE'
'HOTPATCH.EXE'
'HOTACTIO.EXE'
'HBSRV.EXE'
'HBINST.EXE'
'HACKTRACERSETUP.EXE'
'GUARDDOG.EXE'
'GUARD.EXE'
'GMT.EXE'
'GENERICS.EXE'
'GBPOLL.EXE'
'GBMENU.EXE'
'GATOR.EXE'
'FSMB32.EXE'
'FSMA32.EXE'
'FSM32.EXE'
'FSGK32.EXE'
'FSAV95.EXE'
'FSAV530WTBYB.EXE'
'FSAV530STBYB.EXE'
'FSAV32.EXE'
'FSAV.EXE'
'FSAA.EXE'
'FRW.EXE'
'FPROT.EXE'
'FP-WIN_TRIAL.EXE'
'FP-WIN.EXE'
'FNRB32.EXE'
'FLOWPROTECTOR.EXE'
'FIREWALL.EXE'
'FINDVIRU.EXE'
'FIH32.EXE'
'FCH32.EXE'
'FAST.EXE'
'FAMEH32.EXE'
'F-STOPW.EXE'
'F-PROT95.EXE'
'F-PROT.EXE'
'F-AGNT95.EXE'
'EXPLORE.EXE'
'EXPERT.EXE'
'EXE.AVXW.EXE'
'EXANTIVIRUS-CNET.EXE'
'EVPN.EXE'
'ETRUSTCIPE.EXE'
'ETHEREAL.EXE'
'ESPWATCH.EXE'
'ESCANV95.EXE'
'ICSUPP95.EXE'
'ESCANHNT.EXE'
'ESCANH95.EXE'
'ESAFE.EXE'
'ENT.EXE'
'EMSW.EXE'
'EFPEADM.EXE'
'ECENGINE.EXE'
'DVP95_0.EXE'
'DVP95.EXE'
'DSSAGENT.EXE'
'DRWEBUPW.EXE'
'DRWEB32.EXE'
'DRWATSON.EXE'
'DPPS2.EXE'
'DPFSETUP.EXE'
'DPF.EXE'
'DOORS.EXE'
'DLLREG.EXE'
'DLLCACHE.EXE'
'DIVX.EXE'
'DEPUTY.EXE'
'DEFWATCH.EXE'
'DEFSCANGUI.EXE'
'DEFALERT.EXE'
'DCOMX.EXE'
'DATEMANAGER.EXE'
'Claw95.EXE'
'CWNTDWMO.EXE'
'CWNB181.EXE'
'CV.EXE'
'CTRL.EXE'
'CPFNT206.EXE'
'CPF9X206.EXE'
'CPD.EXE'
'CONNECTIONMONITOR.EXE'
'CMON016.EXE'
'CMGRDIAN.EXE'
'CMESYS.EXE'
'CMD32.EXE'
'CLICK.EXE'
'CLEANPC.EXE'
'CLEANER3.EXE'
'CLEANER.EXE'
'CLEAN.EXE'
'CFINET32.EXE'
'CFINET.EXE'
'CFIADMIN.EXE'
'CFGWIZ.EXE'
'CFD.EXE'
'CDP.EXE'
'CCPXYSVC.EXE'
'CCEVTMGR.EXE'
'CCAPP.EXE'
'BVT.EXE'
'BUNDLE.EXE'
'BS120.EXE'
'BRASIL.EXE'
'BPC.EXE'
'BORG2.EXE'
'BOOTWARN.EXE'
'BOOTCONF.EXE'
'BLSS.EXE'
'BLACKICE.EXE'
'BLACKD.EXE'
'BISP.EXE'
'BIPCPEVALSETUP.EXE'
'BIPCP.EXE'
'BIDSERVER.EXE'
'BIDEF.EXE'
'BELT.EXE'
'BEAGLE.EXE'
'BD_PROFESSIONAL.EXE'
'BARGAINS.EXE'
'BACKWEB.EXE'
'CLAW95CF.EXE'
'CFIAUDIT.EXE'
'AVXMONITORNT.EXE'
'AVXMONITOR9X.EXE'
'AVWUPSRV.EXE'
'AVWUPD.EXE'
'AVWINNT.EXE'
'AVWIN95.EXE'
'AVSYNMGR.EXE'
'AVSCHED32.EXE'
'AVPTC32.EXE'
'AVPM.EXE'
'AVPDOS32.EXE'
'AVPCC.EXE'
'AVP32.EXE'
'AVP.EXE'
'AVNT.EXE'
'AVLTMAIN.EXE'
'AVKWCTl9.EXE'
'AVKSERVICE.EXE'
'AVKSERV.EXE'
'AVKPOP.EXE'
'AVGW.EXE'
'AVGUARD.EXE'
'AVGSERV9.EXE'
'AVGSERV.EXE'
'AVGNT.EXE'
'AVGCTRL.EXE'
'AVGCC32.EXE'
'AVE32.EXE'
'AVCONSOL.EXE'
'AU.EXE'
'ATWATCH.EXE'
'ATRO55EN.EXE'
'ATGUARD.EXE'
'ATCON.EXE'
'ARR.EXE'
'APVXDWIN.EXE'
'APLICA32.EXE'
'APIMONITOR.EXE'
'ANTS.EXE'
'ANTIVIRUS.EXE'
'ANTI-TROJAN.EXE'
'AMON9X.EXE'
'ALOGSERV.EXE'
'ALEVIR.EXE'
'ALERTSVC.EXE'
'AGENTW.EXE'
'AGENTSVR.EXE'
'ADVXDWIN.EXE'
'ADAWARE.EXE'
'AVXQUAR.EXE'
'ACKWIN32.EXE'
'AVWUPD32.EXE'
'AVPUPD.EXE'
'AUTOUPDATE.EXE'
'AUTOTRACE.EXE'
'AUTODOWN.EXE'
'AUPDATE.EXE'
'ATUPDATER.EXE'

This worm will search for shared folders on the internet with weak passwords and copy itself into them. A text file named HOSTS may also be dropped into
C:\<Windows System32>\drivers\etc which may contain a list of anti-virus and other security related websites each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites.
For example:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

W32/Agobot-QJ can sniff HTTP, ICMP, FTP, VULN and IRC network traffic and steal data from them.

The following vulnerabilities can also be exploited to aid propagation on unpatched systems and manipulate registry keys:

Remote Procedure Call (RPC) vulnerability

Distributed Component Object Model (DCOM) vulnerability

RPC Locator vulnerability

IIS5/WEBDAV Buffer Overflow vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-026
(Microsoft Security Bulletin MS03-026 has been superseded by Microsoft Security Bulletin MS03-039.)

W32/Agobot-QJ can also polymorph on installation in order to evade detection and share / delete the admin$, ipc$ etc drives.

It can also test the available bandwidth by attempting to GET or POST data to the following websites:

'yahoo.co.jp'
'www.nifty.com'
'www.d1asia.com'
'www.st.lib.keio.ac.jp'
'www.lib.nthu.edu.tw'
'www.above.net'
'www.level3.com'
'nitro.ucsc.edu'
'www.burst.net'
'www.cogentco.com'
'www.rit.edu'
'www.nocster.com'
'www.verio.com'
'www.stanford.edu'
'www.xo.net'
'de.yahoo.com'
'www.belwue.de'
'www.switch.ch'
'www.1und1.de'
'verio.fr'
'www.utwente.nl'
'www.schlund.net'

W32/Agobot-QJ can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood / httpflood / fraggle / smurf etc attacks against remote systems.

This worm can steal the Windows Product ID and keys from several computer applications or games including:

AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
Industry Giant 2
IGI2: Covert Strike
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
NHL 2002
NHL 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Shogun Total War - Warlord Edition
Soldiers Of Anarchy
Soldier of Fortune II - Double Helix
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Windows Messenger

W32/Agobot-QJ will delete all files named 'sound*.*'.